<p>Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3. </p><p>Tested with MySQL versions 5.1.53 and 5.5.41.</p><p><br></p><p>## Overview</p><p>Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in </p><p>WordPress comments. The script is triggered when the comment is viewed.</p><p> </p><p>If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to </p><p>execute arbitrary code on the server via the plugin and theme editors.</p><p> </p><p>Alternatively the attacker could change the administrator’s password, create new administrator accounts, </p><p>or do whatever else the currently logged-in administrator can do on the target system.</p><p> </p><p> </p><p> </p><p>## Details</p><p>If the comment text is long enough, it will be truncated when inserted in the database. </p><p>The MySQL TEXT type size limit is 64 kilobytes, so the comment...
<p>Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3. </p><p>Tested with MySQL versions 5.1.53 and 5.5.41.</p><p><br></p><p>## Overview</p><p>Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in </p><p>WordPress comments. The script is triggered when the comment is viewed.</p><p> </p><p>If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to </p><p>execute arbitrary code on the server via the plugin and theme editors.</p><p> </p><p>Alternatively the attacker could change the administrator’s password, create new administrator accounts, </p><p>or do whatever else the currently logged-in administrator can do on the target system.</p><p> </p><p> </p><p> </p><p>## Details</p><p>If the comment text is long enough, it will be truncated when inserted in the database. </p><p>The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.</p><p> </p><p>The truncation results in malformed HTML generated on the page. </p><p>The attacker can supply any attributes in the allowed HTML tags, in the same way </p><p>as with the two recently published stored XSS vulnerabilities affecting the WordPress core.</p><p> </p><p>The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in </p><p>2014 (patched this week, after 14 months). Instead of using an invalid character to truncate </p><p>the comment, this time an excessively long comment is used for the same effect.</p><p> </p><p>In these two cases, the injected JavaScript apparently can't be triggered in the </p><p>administrative Dashboard so these exploits seem to require getting around comment </p><p>moderation e.g. by posting one harmless comment first.</p><p> </p><p>The similar vulnerability released by Klikki in November 2014 could be exploited in the </p><p>administrative Dashboard while the comment is still in the moderation queue. Some </p><p>exploit attempts of this have been recently reported in the wild.</p>
